Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Privacy first, cookieless web analytics platform operated from the United Kingdom that measures pageviews, sessions and conversions without persistent identifiers and without sending data to advertising networks.
Cabin is a privacy first, cookieless web analytics platform. It loads a small JavaScript snippet that sends an event per pageview to a Cabin endpoint on the merchant subdomain. Visitor identity is derived from a daily rotating salted hash of the IP and the user agent, so the same visitor cannot be tracked across days, sites or sessions beyond 24 hours.
Cabin captures URL, referrer, country, region, device class, browser family and the daily hashed identifier. It does not store the raw IP, does not persist any cookie and does not share data with advertising networks. Aggregated metrics are kept for the configured retention period.
Cabin is designed to qualify for the audience measurement exemption recognised by the CNIL (no persistent identifier, no cross site profiling, strict data minimisation). Because no information is stored on or read from the device, Article 5(3) of the ePrivacy Directive is not triggered.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
No prior consent is needed in EU member states that follow the CNIL approach (France, Spain, Italy, Belgium and similar). In Germany the BfDI also accepts this approach when documented. Document the analysis in your records of processing and inform users in the privacy notice.
Cabin is hosted in the United Kingdom (which has an adequacy decision) and in EU data centres (Hetzner). No transfer to a non adequate third country occurs.
Sign the DPA, set up the analytics endpoint on a first party subdomain, document the legitimate interest balancing test and the CNIL exemption analysis, list Cabin in your privacy notice, restrict admin access to the analytics dashboard, and re evaluate if you ever enable optional features that store an identifier.
Websites using Cabin must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for standard Cabin usage thanks to its cookieless, aggregated approach. A short legitimate interest assessment in the ROPA is usually enough; document the daily hashed salt and the absence of cross site profiling.
Sample consent text
We use Cabin (UK based, cookieless analytics) to measure aggregated traffic on our website. Cabin does not set cookies, does not track you across other sites and does not share your data with advertising networks. No prior consent is required.
Third-party domains contacted
withcabin.comcabinanalytics.comcdn.withcabin.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| No cookies set | http | N/A | Cabin is cookieless by design: no cookies, localStorage or sessionStorage entries are written by the analytics tag. Visitor identity is derived from a daily rotating salted hash on the server side. |
Cabin collects user analytics data — you legally need a consent banner. Try FlowConsent free.
None. Cabin is cookieless by design and does not write any cookie, localStorage or sessionStorage entry on the device. Visitor identity is derived from a daily rotating salted hash on the server side.
No prior consent is required when Cabin is used as shipped, because no information is stored on or read from the device and no persistent identifier is created. The CNIL accepts this configuration under its audience measurement exemption.
Article 6(1)(f) GDPR (legitimate interest in measuring website performance). The legitimate interest balancing test is favourable because data is aggregated, anonymised after 24 hours and never shared with advertising partners.
No. Cabin is hosted in the UK (adequate) and in EU data centres. No transfer to a non adequate third country occurs.
No. The cookieless, aggregated approach removes the high risk indicators that would trigger Article 35 GDPR. A short legitimate interest analysis in your ROPA is sufficient.
Sign the DPA, deploy the analytics endpoint on a first party subdomain, mention Cabin in your privacy notice, document the audience measurement exemption analysis, and review the setup if you ever enable a feature that introduces a persistent identifier.
Other privacy first analytics tools include Plausible (EU), Fathom (UK / Canada), Simple Analytics (EU), Pirsch (EU), Umami (self hosted), Matomo with anonymous mode, Google Analytics with full anonymisation and aggregated reporting only, and Mixpanel in anonymous mode.
You typically do not need to add Cabin to the cookie banner, since it does not set cookies. Mention Cabin as a processor in the privacy notice under analytics, describe the cookieless approach, the legitimate interest basis and link to the Cabin privacy policy.